top | item 47137694

(no title)

bri3d | 5 days ago

The referenced write-up based on the Persona front end code is here:

I definitely recommend reading this primary source before drawing conclusions about the code as most of the secondary reporting is quite low quality.

discuss

cloverich|5 days ago

Note also there's a direct response from Persona's security team here[1], and a lot of back and forth from Rick on Twitter[2].

[1]: https://withpersona.com/blog/post-incident-review-source-map...

[2]: https://x.com/Persona_IDV/status/2025048195773198385?s=20

nailer|5 days ago

> About the name: The subdomain was called onyx, a reference to the Pokémon Onix (a Pokémon made of multiple boulders, fitting for a multi-node architecture). It was an informal codename chosen by the engineer. It had no connection whatsoever to Fivecast ONYX, an unrelated 3rd party commercial product previously used by ICE. We understand this coincidence caused confusion, and we address it further below.

dvfjsdhgfv|5 days ago

Twitter requires login to view the replies, might use an alternative:

https://nitter.net/Persona_IDV/status/2025048195773198385

unknown|5 days ago

[deleted]

bondarchuk|5 days ago

Submitted 6 days ago but flagged https://news.ycombinator.com/item?id=47059129

@dang can this get a second chance?

nebezb|5 days ago

I read it and, maybe it’s because I’ve spent too much time in fintech, I don’t share most of the concerns.

The differences in proclaimed data retention periods is concerning though. The rest is par for the course for KYC/AML.

bri3d|5 days ago

I agree; I didn't want to editorialize too much as I think the writeup stands on its own.

My takeaway was that in this case, even an author with a clear and extreme bias against this sort of thing could find only unfortunately-common bad practices rather than deeply nefarious intent. Of course, this is just the front-end code, but this just looks like a KYC platform to me. Most of the secondary reports on this write-up seem to completely ignore section 0x13 and jump to the specific conclusions the author does not draw.

The fact that we've created a system where Discord need and want a KYC platform is a different and quite strange thing, but the KYC platform itself just looks like what it says on the tin.

boppo1|5 days ago

Tell me more before I doom about this too much.

dgxyz|5 days ago

Good article but the web site gave me eye and ear cancer.

Please make it actually readable and don't steal my audio!

BoredPositron|5 days ago

[deleted]

dunder_cat|5 days ago

Seems to be down for me. https://web.archive.org/web/20260220192124/https://vmfunc.re...

beacon294|5 days ago

It's up.

cloverich|5 days ago

And his follow up here: https://vmfunc.re/blog/persona-2

vincnetas|5 days ago

damn. why did the website stole my audio?

pavel_lishin|5 days ago

Some of the most interesting authors in tech on the internet have just absolute awful websites. Blinking animations everywhere, weird sounds, "cute" little javascript animations like it's 1999 again.

fuddle|5 days ago

Yeah, come on! I'm trying to watch a video and read the article!

tofuahdude|5 days ago

That was a great read, very interesting!

unknown|5 days ago

[deleted]